{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-defender-smartscreen/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Windows Defender SmartScreen"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying attempts to weaken Windows Defender SmartScreen by modifying registry settings. SmartScreen is a security feature designed to protect users from malicious websites and files. Attackers may attempt to lower the protection level to \u0026ldquo;Warn\u0026rdquo; from its default settings to reduce user suspicion when running potentially malicious executables. This allows malware to execute with a warning prompt, increasing the chances of successful deployment. This activity is often part of a broader defense evasion strategy employed after initial access has been gained. The detection specifically monitors changes to the \u003ccode\u003eShellSmartScreenLevel\u003c/code\u003e registry value.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system, typically through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a process with elevated privileges (e.g., via UAC bypass) to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe process modifies the registry key \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ShellSmartScreenLevel\u003c/code\u003e or \u003ccode\u003eHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ShellSmartScreenLevel\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe registry value \u003ccode\u003eShellSmartScreenLevel\u003c/code\u003e is set to \u0026ldquo;Warn\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe modified registry setting takes effect, causing SmartScreen to only display a warning when a potentially malicious executable is run.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious executable that would normally be blocked by SmartScreen.\u003c/li\u003e\n\u003cli\u003eSmartScreen displays a warning prompt instead of blocking the execution.\u003c/li\u003e\n\u003cli\u003eThe user, less suspicious due to the less severe warning, allows the executable to run, leading to system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the SmartScreen level can lead to a compromised system. If a user is tricked into running malware due to the less stringent warning, attackers can achieve code execution, persistence, and further lateral movement within the network. This can result in data theft, ransomware deployment, or other malicious activities. While specific victim counts are unavailable, the impact can be significant depending on the targeted environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 logging to monitor registry modifications (as per the data_source in the rule).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SmartScreen Downgrade via Registry Modification\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eShellSmartScreenLevel\u003c/code\u003e being set to \u0026ldquo;Warn\u0026rdquo; to determine if the activity is malicious.\u003c/li\u003e\n\u003cli\u003eBlock processes attempting to modify the \u003ccode\u003eShellSmartScreenLevel\u003c/code\u003e registry value using endpoint detection and response (EDR) tools (based on the Registry.registry_path in the rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-smartscreen-downgrade/","summary":"This analytic detects modifications to the Windows Registry to set Windows Defender SmartScreen level to 'Warn', which can reduce user suspicion and increase the risk of malware execution.","title":"Windows Defender SmartScreen Level Downgrade to 'Warn'","url":"https://feed.craftedsignal.io/briefs/2024-01-02-smartscreen-downgrade/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows Defender SmartScreen","version":"https://jsonfeed.org/version/1.1"}